PURPOSE AND APPLICABILITY

The purpose of this publication is to provide guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization,⁹ security control selection and implementation, security control assessment, information system authorization,¹⁰ and security control monitoring. The guidelines have been developed:

• To ensure that managing information system-related security risks is consistent with the organization’s mission/business objectives and overall risk strategy established by the senior leadership through the risk executive (function);

• To ensure that information security requirements, including necessary security controls, are integrated into the organization’s enterprise architecture and system development life cycle processes;

• To support consistent, well-informed, and ongoing security authorization decisions (through continuous monitoring), transparency of security and risk management-related information, and reciprocity;11 and

• To achieve more secure information and information systems within the federal government through the implementation of appropriate risk mitigation strategies.

This publication satisfies the requirements of the Federal Information Security Management Act (FISMA) and meets or exceeds the information security requirements established for executive agencies¹² by the Office of Management and Budget (OMB) in Circular A-130, Appendix III, Security of Federal Automated Information Resources. The guidelines in this publication are applicable to all federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542. The guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems and may be used for such systems with the approval of appropriate federal officials exercising policy authority over such systems. State, local, and tribal governments, as well as private sector organizations are encouraged to consider using these guidelines, as appropriate.

Chapter Two describes the fundamental concepts associated with managing information system-related security risks including: (i) an organization-wide view of risk management and the application of the Risk Management Framework; (ii) the integration of information security requirements into the system development life cycle; (iii) the establishment of information system boundaries; and (iv) the allocation of security controls to organizational information systems as system-specific, hybrid, or common controls.

Chapter Three describes the tasks required to apply the Risk Management Framework to information systems including: (i) the categorization of information and information systems;

(ii) the selection of security controls; (iii) the implementation of security controls; (iv) the assessment of security control effectiveness; (v) the authorization of the information system;

and (vi) the ongoing monitoring of security controls and the security state of the information system.

Supporting appendices provide additional information regarding the application of the Risk Management Framework to information systems including: (i) references; (ii) glossary; (iii) acronyms; (iv) roles and responsibilities; (v) summary of Risk Management Framework tasks; (vi) security authorization of information systems; (vii) monitoring the security state of information systems; (viii) operational scenarios; and (ix) security controls in external environments.

7.

Defense, including the National Security Agency, for identifying an information system as a national security system. The basis for these guidelines is the Federal Information Security Management Act of 2002 (FISMA, Title III, Public Law 107-347, December 17, 2002), which provides government-wide requirements for information security,

superseding the Government Information Security Reform Act and the Computer Security Act.

Except for national security systems as defined by FISMA, the Secretary of Commerce is responsible for prescribing standards and guidelines pertaining to Federal information systems on the basis of standards and guidelines developed by NIST. The Committee on National Security Systems (CNSS) along with Federal agencies that operate systems falling within the definition of national security systems provide security standards and guidance for national security systems. In addition to defining the term national security system FISMA amended the NIST Act, at 15 U.SC. 278g-3(b)(3), to require NIST to provide guidelines for identifying an information system as a national security system. As stated in the House Committee report, ―This guidance is not to govern such systems, but

rather to ensure that agencies receive consistent guidance on the identification of systems that should be governed by national security system requirements.‖ Report of the Committee on Government Reform, U. S House of Representatives, Report 107-787, November 14, 2002, p. 85.

The Department of Defense and the Director, Central Intelligence have authority to develop policies, guidelines, and standards for national security systems. The Director, Central Intelligence is responsible for policies relating to systems processing intelligence information. The Committee for National Security Systems, whose executive agent is the National Security Agency, was established to develop operating policies, procedures, guidelines, instructions and standards as necessary to implement provisions of the

National Policy for the Security of National Security Telecommunications and Information Systems (see NSTISSD Number 502). The Director of the Office of

Management and Budget (OMB) retains responsibility for oversight of national security system information security policies and practices with respect to:

Overseeing agency compliance with the requirements of Subchapter III of Chapter 35 of Title 44, United States Code, including through any authorized action under Title 40, United States Code, section 11303, to enforce

accountability for compliance with such requirements; and

Reporting to Congress no later than March 1 of each year on agency compliance with the requirements of Subchapter III of Chapter 35 of Title 44 United States Code, including –

o A summary of the findings of evaluations required by 44 U.S.C. 3545;

o An assessment of the development, promulgation, and adoption of, and compliance with, standards developed under 15 USC 278g-3 and

promulgated under 40 U.S.C. 11331;

o Significant deficiencies in agency information security practices;

o Planned remedial action to address such deficiencies; and

o A summary of, and OMB views on, the report prepared by NIST under 15 USC 278g-3.

Accordingly, the purpose of these guidelines is not to establish requirements for national security systems, but rather to assist agencies in determining which, if any, of their systems are national security systems as defined by FISMA and are to be governed by applicable requirements for such systems, issued in accordance with law and as directed

by the President.

1.0 Introduction ...1

2.0 Basis for Identification of National Security Systems...3

3.0 Method for Identifying National Security Systems...5

3.1 Determination of Responsibilities... 5

3.2 National Security System Identification Checklist ... 6

3.3 Dispute Resolution... 6

Appendix A: National Security System Identification Checklist...7

A.1 Minimum Question Set ... 7

A.1.1 Intelligence Activities ... 7

A.1.2 Cryptologic Activities ... 8

A.1.3 Command and Control of Military Forces ... 8

A.1.4 Weapons and Weapons Systems ... 8

A.1.5 Systems Critical to the Direct Fulfillment of Military or Intelligence Missions ... 8

A.1.6 Classified Systems ... 9

A.2 Optional Checklist Material... 9

A.3 Checklist... 10

Appendix B: References... 11

Appendix C: Glossary of Terms ... 13

8.

Executive Summary

Title III of the E-Government Act (Public Law 107-347), titled the Federal Information Security Management Act (FISMA), tasked the National Institute of Standards and Technology (NIST) to develop:

Standards to be used by all Federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels;

Guidelines recommending the types of information and information systems to be included in each such category; and

Minimum information security requirements (i.e., management, operational, and technical security controls), for information and information systems in each such category.

In response to the second of these tasks, this guideline has been developed to assist Federal

government agencies to categorize information and information systems. The guideline’s objective is to facilitate application of appropriate levels of information security according to a range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or use of the information or information system. This guideline assumes that the user is familiar with Standards for Security Categorization of Federal Information and Information Systems (Federal Information Processing Standard [FIPS] 199). The guideline and its appendices:

Review the security categorization terms and definitions established by FIPS 199;

Recommend a security categorization process;

Describe a methodology for identifying types of Federal information and information systems;

Suggest provisional¹ security impact levels for common information types;

Discuss information attributes that may result in variances from the provisional impact level assignment; and

Describe how to establish a system security categorization based on the system’s use, connectivity, and aggregate information content.

This document is intended as a reference resource rather than as a tutorial and not all of the material will be relevant to all agencies. This document includes two volumes, a basic guideline and a volume of appendices. Users should review the guidelines provided in Volume I, then refer to only that specific material from the appendices that applies to their own systems and applications. The provisional impact assignments are provided in Volume II, Appendix C and D. The basis employed in this guideline for the identification of information types is the Office of Management and Budget’s Federal Enterprise Architecture (FEA) Program Management Office (PMO) October 2007

publication, The Consolidated Reference Model Document Version 2.3.